Restricting the Geographic Distribution of Your
Content

You can use geo restriction, also known as
geoblocking, to prevent users in specific geographic locations from
accessing content that you're distributing through a CloudFront web distribution. To use geo
restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the
files that are associated with a distribution and to restrict access at the country level.

Use a third-party geolocation service. Use this option to restrict access to a subset
of the files that are associated with a distribution or to restrict access at a finer
granularity than the country level.

Using CloudFront Geo Restriction

When a user requests your content, CloudFront typically serves the requested content
regardless of where the user is located. If you need to prevent users in specific countries
from accessing your content, you can use the CloudFront geo restriction feature to do one of the
following:

Allow your users to access your content only if they're in one of the countries on a
whitelist of approved countries.

Prevent your users from accessing your content if they're in one of the countries on
a blacklist of banned countries.

For example, if a request comes from a country where, for copyright reasons, you are not
authorized to distribute your content, you can use CloudFront geo restriction to block the
request.

Note

CloudFront determines the location of your users by using a third-party GeoIP database. The
accuracy of the mapping between IP addresses and countries varies by region. Based on
recent tests, the overall accuracy is 99.8%.

Here's how geo restriction works:

Suppose you have rights to distribute your content only in Liechtenstein. You update
your CloudFront web distribution and add a whitelist that contains only Liechtenstein.
(Alternatively, you could add a blacklist that contains every country except
Liechtenstein.)

A user in Monaco requests your content, and DNS routes the request to the CloudFront edge
location in Milan, Italy.

The edge location in Milan looks up your distribution and determines that the user
in Monaco is not allowed to download your content.

CloudFront returns an HTTP status code of 403 (Forbidden) to the user.

You can optionally configure CloudFront to return a custom error message to the user, and you
can specify how long you want CloudFront to cache the error response for the requested object; the
default value is five minutes. For more information, see Customizing Error Responses.

Geo restriction applies to an entire web distribution. If you need to apply one
restriction to part of your content and a different restriction (or no restriction) to
another part of your content, you must either create separate CloudFront web distributions or use
a third-party geolocation service.

If you enable CloudFront access logging, you can identify the requests that CloudFront rejected by
searching for the log entries for which the value of sc-status (the HTTP status
code) is 403. However, using only the access logs, you can't distinguish a
request that CloudFront rejected based on the location of the user from a request that CloudFront
rejected because the user didn't have permission to access the object for another reason. If
you have a third-party geolocation service such as Digital Element or MaxMind, you can
identify the location of requests based on the IP address in the c-ip (client
IP) column in the access logs. For more information about CloudFront access logs, see Access Logs.

The following procedure explains how to use the CloudFront console to add geo restriction to
an existing web distribution. For information about how to use the console to create a web
distribution, see Working with Web Distributions.

To use the CloudFront console to add geo restriction
to your CloudFront web distribution

Using a Third-Party Geolocation
Service

The CloudFront geo restriction feature lets you control distribution of your content at the
country level for all files that you're distributing with a given web distribution. If you
have geographic restrictions on where your content can be distributed and the restrictions
don't follow country boundaries, or if you want to limit access to only some of the files
that you're distributing through CloudFront, you can combine CloudFront with a third-party geolocation
service. This can allow you to control access to your content based not only on country but
also based on city, zip or postal code, or even latitude and longitude.

When you're using a third-party geolocation service, we recommend that you use CloudFront
signed URLs, which let you specify an expiration date and time after which the URL is no
longer valid. In addition, we recommend that you use an Amazon S3 bucket as your origin because
you can then use a CloudFront origin access identity to prevent users from accessing your content
directly from the origin. For more information about signed URLs and origin access
identities, see Serving Private Content through CloudFront.

The following task list explains how to control access to your files by using a
third-party geolocation service.

Task list for restricting access to files in a CloudFront distribution based on geographic
location

Get an account with a geolocation service.

Upload your content to an Amazon Simple Storage Service (S3) bucket. For more information, see the Amazon S3 documentation.

Evaluate the return value from the geolocation service to determine whether the
user is in a location to which you want CloudFront to distribute your content.

Based on whether you want to distribute your content to the user's location,
either generate a signed URL for your CloudFront content, or return HTTP status code 403
(Forbidden) to the user. Alternatively, you can configure CloudFront to return a custom
error message. For more information, see Customizing Error Responses.

For more information, refer to the documentation for the geolocation service that
you're using.

You can use a web server variable to get the IP addresses of the users who are visiting
your website. Note the following caveats:

If your web server is not connected to the Internet through a load balancer, you can
use a web server variable to get the remote IP address. However, this IP address isn't
always the user's IP address—it can also be the IP address of a proxy server,
depending on how the user is connected to the Internet.

If your web server is connected to the Internet through a load balancer, a web
server variable might contain the IP address of the load balancer, not the IP address of
the user. In this configuration, we recommend that you use the last IP address in the
X-Forwarded-For http header. This header typically contains more than one
IP address, most of which are for proxies or load balancers. The last IP address in the
list is the one most likely to be associated with the user's geographic location.

If your web server is not connected to a load balancer, we recommend that you use web
server variables instead of the X-Forwarded-For header to avoid IP address
spoofing.